Posted
by
Soulskill
on Friday July 29, 2011 @11:33AM
from the source-of-conflict dept.

Digana writes "Emacs, one of GNU's flagship products and the most famous software creation of Richard Stallman, has been discovered to be violating the GPL since 2009-09-28 by distributing binaries that were missing source. The CEDET package, a set of contributed files for giving certain IDE functionality related to static code analysis, has distributed files generated from bison grammars without distributing the grammar itself. This happened for Emacs versions 23.2 and 23.3, released during late 2009, and has just been discovered."

I still use emacs from time to time. My biggest complaint is that it's not particularly friendly to occasional users. When I used it full time at university, I developed a fairly solid grasp of it. Now that I live in a world that expects Office, I find I have a heck of a time going back - if you don't remember the shortcuts, you're fairly SOL.

The problem in this case is that the concepts of "source code" and "object code" are a bit fuzzy with generated code that is GPL-licensed.

Someone wrote the bison grammar files (which are the missing source code in this case) and "compiled" them, by running bison over them. The resulting files were "object code" in the light of GPL, as they're not really intended nor suitable to be read or edited by a human (and the GPL's definition of source code is "the preferred form of the work for making modifications to it"), but at the same time, they were still technically source code, as in something that can be fed to another compiler, together with the actual source code of Emacs to build the executable Emacs binary.

Thus, the final binary can be recreated from those tarballs just fine, because *technically* it's the full Emacs source code all right. Legally, though, it's not, because of the definitions in GPL.

No, there's really no question that the Bison grammar is preferred. The only real question is why this is news at all. It's such a minor violation it's a complete technicality. The code for the Bison implementation and the grammar file are all GPL and available as well, they just weren't in the tarball for distribution due to a small oversight.

Except that, if I wanted to change the grammar, I'd have to plod through the horrid code bison generated rather than the bison grammar files (which are the "true" source) so even technically it's no more the full Emacs source code than releasing the unassembled ASM output of gcc would be the full source for a C program. In this case, the common technical definition and the legal definition seem to be in unison.

Thus, the final binary can be recreated from those tarballs just fine, because *technically* it's the full Emacs source code all right. Legally, though, it's not, because of the definitions in GPL.

Not so. If what you seem to be implying were true (that there's no ethical problem with this, just a legal one because of the wording of the GPL), people could simply compile their source down to assembly and distribute the "source" that way. The final binary could be created from the compiler-generated assembly just fine, but that's not the issue here. The goal of the GPL is to prevent distribution of any generated machine instructions (in any form or language) without distribution of the original (in any

Not really strange, no one cares except pedants who were too busy slurping Stallman's wiener and bitching about everyone else to notice their own hypocrisy.

This is simply no big deal, the source to the files IS available. There really ISN'T a GPL violation. Its just not in a specific set of packages, which there is no requirement for it to be so.

The GPL requires the source to be available, it is, its just not included by default, which is perfectly acceptable.

Second, in order for this to be a violation, the authors of said files have to call it a violation. You (nor I) get the right to determine its a violation (again, this goes contrary to what most GPL zealots think). The copyright holder does, to which, the copyright holder may have granted an exception or special license to Emacs for this purpose.

The only thing going on here is a few people getting their panties in a bunch over nothing. Another fine example of why any intelligent company keeps as far away from GPL as possible, the followers of the Cult of GPL will happily stab themselves in the eye because a doctor gives them pink eye medicine.

If the original author of these files hasn't bitched, there is no violation. If he or she has/is then we have something to talk about, but I find it highly unlikely that said person will be raising much hooha about it.

Mistakes happen, everyone needs to not go retarded nuts over shit like this in relation to the GPL, you just make yourselfs look like a bunch of dick heads.

(Note: This post isn't entirely directed at the person I'm responding too, just happens to be the place I decided to post my thoughts)

The GPL requires the source to be available, it is, its just not included by default, which is perfectly acceptable.

No, it isn't available, which is the entire problem.

If you downloaded the source package for emacs from the repositories of your chosen distro, you would not receive the files in question.

Again: Many organizations are distributing emacs binaries, but not making the full source available. That's a GPL violation.

Second, in order for this to be a violation, the authors of said files have to call it a violation

That's simply not true. If you are not in compliance with the terms of a license agreement, then you are not in compliance with the terms of that license agreement whether anyone knows or cares that you are.

For this violation to result in legal action the copyright holder has to know and care.

The only thing going on here is a few people getting their panties in a bunch over nothing.

It isn't nothing, but it also isn't a huge deal because the non-compliance was accidental and the solution straightforward.

The response seems commensurate with the issue. Oh Shit we screwed up, but oh well shit happens.

How about you just ignore whatever few people you see as over-reacting as the outliers they are, and I'll ignore the idiocy you spouted immediately after the last quote up there. Deal?

it's build fine since it has the bison output which is all the compiler needs. Basically there are some Elisp files that are actually generated by from some grammar files, those Elisp files were added without the grammar files being added. When doing a build you have no way of knowing that some random Elisp file isn't actually the "true" source code.

The fact that no one has noticed/complained would to me indicate that no one wants them. If someone wanted them, they would look for them, not find them, inquire, and it would probably have been fixed.

Yes they should be there, and yes this should be fixed but is an (assumably) reasonable mistake this big a deal?

Would be different if someone was refusing to provide the source material or something, but this just seems like a case of “oops, forgot.. give me a sec..”. Certainly not

Who have they infringed on? (not a snarky reply, I really don't know. I don't know enough about how the FSF works). This seemed more an issue of contract violation (the contract the devs have with the FSF) in which case the FSF could sue RMS? Or the one who did the merging? Could someone who downloaded the software sue the FSF?

As an anonymous poster above mentioned, I believe it's only a GPL violation if they refused to provide it, right? If no one found out until now, that leads me to believe that no one had asked. This certainly seems in the realm of "whoops, my bad" than in any nefarious hypocrisy from RMS and the Emacs developers.

As an anonymous poster above mentioned, I believe it's only a GPL violation if they refused to provide it, right? If no one found out until now, that leads me to believe that no one had asked.

If they have failed to provide it when requested, not "refused", and they have: the thing that is purported to be the complete source code that is available on request is not the complete "source code" as defined in the GPL, so insofar as everyone who has downloaded the thing purporting to be the complete source code

Sure they did (violate the GPL). You're still required to provide an offer of source, and to provide it when requested per that offer. They weren't doing that (providing the source when requested), unintentionally or not. That's copyright infringement.

I just shuddered. No seriously, it started at the tips of my toes and went all the way to my head, giving me goosebumps and making my hair stand on end all along the way. I think I'll need to sleep with the lights on tonight.

b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for sof

Maybe now the FOSS zealots will believe the argument 'it could happen to anyone'...

What argument? They believe that distributing software without the source code is a bad thing, which is why the GPL was written. This incident only serves to illustrate their continued belief in that principle.

We have made a very bad mistake. Anyone redistributing those versionsis violating the GPL, through no fault of his own.

We need to fix those releases retroactively (or else delete them), andwe need to do it right away.

I see two quick ways to fix them: to delete the compiled files, or toadd the sources they are made from.

Yes. And this is what happens all the time in F/OSS license violation cases. No-one pays out zillions of dollars: they fix the infringement. Happens to hardware vendors who haven't got a clue, malicious software vendors who got caught, well-intentioned ones who made a mistake...happens all the time. I dunno why this is suddenly news.

(For example, I suspect it's somewhat unlikely that any Linux distribution's 'F/OSS only' repositories are actually F/OSS only. The distros which take license compliance most seriously - Debian and Fedora/Red Hat - actively search out licensing issues, find them all the time, and get them resolved. This is a deeply un-sexy ongoing background process which most people are shielded from by the power of not giving a crap. But yeah, since we've been finding licensing issues that affect all distros that haven't been caught in years _all the time_, it seems unreasonable to assume that the last big one we found was the last one and everything's fine now.)

I think it's interesting that this is a story on Slashdot. The GPL is a copyright license and therefore relies on copyright law to have any power. Anti-copyright, pro-piracy stories are often posted here, yet whenever there's a GPL violation story, copyright is suddenly important again.

It's become something of a Slashdot cliche to see this:"How dare the RIAA sue those pirates! Piracy isn't even theft!"

Followed by this:"Somebody stole GPL code? The FSF should take them to court!"

On the face of it, this looks like an accident. There really wasn't a lot to be gained by not publishing the source. And the initial message notifying the public was a "we need to fix this yesterday, one way or another". Someone who was doing this out of malice would have put out a "we were notified of the problem and are taking appropriate steps to address the issue" while they covered their asses.

I was really under the impression that the GPL said you had to distribute the source to anyone you sent the binaries if they actually bothered to request it. I mean, usually that means you publish both, just as a matter of convenience, but not of necessity.

That seems to be the point though - not only are the sources not included, they're not made available either. That means that you or I can download that binary and (incomplete) source distribution of EMACS, give it to someone else, and thus be in violation of the GPL as we cannot make the full source available.

please refer to GPL, section 6, part c. There is no obligation to bundle source with the object/binary distribution.

one of the acceptable methods of distributing source code is :

c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.

The fourth section for version 2 of the license and the seventh section of version 3 require that programs distributed as pre-compiled binaries are accompanied by a copy of the source code, a written offer to distribute the source code via the same mechanism as the pre-compiled binary, or the written offer to obtain the source code that you got when you received the pre-compiled binary under the GPL

source [wikipedia.org]. So, in other words, not distributing the source with it isn't a problem necessarily, although I imagine they didn't add any written offers to provide the source, so it may be a technical violation. Since I'm sure they would distribute the source on request, and since I imagine you can get the source easily enough if you want, this really doesn't seem to be an issue at all. Except that RMS is... well, a little on the obsessive side, to say t

Not quite. You basically have two options (simplifying here, and this goes for v2 or v3):

1) Include the source2) Include an offer to provide the source

Merely publishing the source somewhere isn't enough, and you can't just reactively provide the source when requested. If you don't want to include the source with the binaries, you have to include the offer with the binaries instead.

I was going to question the correctness of your claim that "merely publishing the source isn't enough", and that you can't do it reactively, as that runs counter to how I'd always understood the license, and then decided I should first check the GPL's terms to be sure that I understood it correctly. ( http://www.gnu.org/licenses/gpl.html [gnu.org] )

The GPL3 (which I believe Emacs uses, as far as I can tell?)'s section six includes the offer "access to copy the Corresponding Source from a network server at no charge".

Actually, you're supposed to make it available if you're distributing downloadable copies, no request necessary. The "by request" is if you distribute physically (in a device, or on physical media). See Section 6, Conveying Non-Source Forms, of GPLv3 [gnu.org].

That is the basic gist of it. Source doesn't have to be shipped together with binaries. GPLv3 changes the 'bothered to request it' part as that is something of an artifact of physical media distribution of GNU software.Quick Guide to GPL v3 [gnu.org]

One of the fundamental requirements of the GPL is that when you distribute object code to users, you must also provide them with a way to get the source. GPLv2 gave you a few ways to do this, and GPLv3 keeps those intact with some clarification. It also offers you new ways to provide source when you convey object code over a network. For instance, when you host object code on a web or FTP server, you can simply provide instructions that tell visitors how to get the source from a third-party server.

The actual wording for network distribution in the GPLv3 says you just have to make or have the source available in the same methods that the binaries wereGPLv3 [gnu.org]

d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.

I bet we can find Emacs source on the same server we can find Emacs binaries.

To comply via methods b) or c) where you only need to make the source available to those who request it, you do have to include an offer saying that this is the case with the object code.

But they aren't doing that because nearly everyone distributing emacs is complying with the GPL via methods d -- allowing an optional source download from the same place they downloaded the emacs binary -- or method a -- including the source itself along with the object files in a physical medium.

Not only does RMS disagree with you since even he says Emacs is in violation, but the GPL stipulates that the source code must either be included, or a written offer to provide it must be included, and neither was done. You don't just provide the source by request.

No, object code is included and the source is not (for the component at issue). The fact that the code is in a format that might be used for other source code (and which needs further compilation to make it executable) doesn't make it source code. The GPL defines "source code" as "the preferred form of the work for making modifications to it", and "object code" as " any non-source form of a work". So, under the GPL, what was distributed as

No, it is not source code in the sense the GPL requires: "the preferred form of the work for making modifications to it". Just because something is in compilable ascii code doesn't make it the source code. You could no doubt convert a binary into some huge hex constant which would be valid C and would compile back to the binary, but nobody would accept that as the source code.

That said, the problem is trivial. It is obviously just a minor cock-up which no-one has noticed. Formally, they should either have i

Bison's output isn't binary, it's C (a somewhat contrived and difficult to understand C, but C nevertheless). It doesn't generate "compiled binaries", as the article points out.
It's still source code. Maybe not the original source code, but source code anyway. I don't think that violates the GPL intrinsically (maybe it violates its spirit, but not the license by itself).

As I understand it, the license defines "source code" as roughly "if you're going to edit this program, the source code is file you would edit".

And it's worded that way to specifically avoid this scenario - if the original author would use Bison to change the program, the Bison code is the "source", not the outputted C code (because you're not intended to edit the C code - you'd go back to Bison and change it there).

I read up and down the thread a few posts, and I think this is a bit of a tempest in a teapo

...that has violated the GPL, it's anyone who has _redistributed_ Emacs. The original distributors (FSF, I assume) have presumably had the source available and could have given it to anyone who asked for it, which is what the GPL requires. They just forgot to put it in the tarball.

But people who have redistributed the Emacs package, like for example GNU mirrors or every desktop Linux distribution in the world, could not have made the source available upon request, since they never had it.

People seem to love hating on this guy, but let's look at how he handled the situation:

"We have made a very bad mistake."

No PR bullshit, or excuses, just acknowledgment followed by a suggested solution. In this day it's not often you see that above-quoted sentence. Especially from know-it-alls on the internet who just shoot spitballs at people who get things done.

They would obviously have fixed it the moment somebody points it out. If somebody was daft enough to go to court over it. They'd basically say "yea, this was a mistake, we didn't notice it because nobody seems to have been bothered with it, so we don't think it really affected anybody. When we became aware of it we fixed it." If that kind of thing did not stand up in court you'd basically be liable every time you had a network problem. Now granted some countries have fucked up legal systems, but that is not

The FSF is the copyright holder of Emacs. All code that is integrated with Emacs is covered by a copyright assignment. They can't violate the GPL when they distribute Emacs, because they are not bound by it.

You're wrong. See GPLv3, section 6. "By request" only applies when object code is distributed via physical media or in a physical product. If it's downloadable, you must also provide downloadable source, no request needed.

Haha:p Honestly, I started out as an emacs user but got fed up with it (I couldn't stand the keybindings in my PT keyboard -- why is every fucking thing made for american keyboards even while I have localized packages? Just change the keybindings according to LINGUAS!!). Moved to vim and am never coming back.

I don't think it is a violation of the GPL before the distributor of the binaries say "No, you can't have it" or fail to deliver within a reasonable timeframe.

Its a violation of the GPL if the distributor of the binaries doesn't either bundle the source code or provide a written offer to provide the source code on request or if, on request, they fail to provide the source code.

So, when they distribute object code and call it source code, and don't accompany it with a written offer to provide the actual sour

This is getting surreal. RMS himself said it was a GPL violation, but now everyone's trying to prove him wrong and declare that it wasn't. I never thought I'd see people in a GPL violation article on Slashdot defending the violator, much less contradict RMS himself on what is a violation and what isn't.

You know, people make mistakes. Especially groups of people when they don't realize that something wasn't someone else's responsibility. I think that RMS's immediate response of "we have to fix this yesterday" (paraphrased) shows that he is NOT a hypocrite, but is rather working fast to rectify the situation.